This article is one in a series of pieces about privacy engineering collected under the tag Privacy by Design.
Privacy, and related concepts trust, transparency, security and anonimity are the starting point for a whole slew of mostly start-up financial technology or “fintech” companies that are aiming to change the way that business is transacted online.
London is one of the main centres of fintech activity, and the sector is attracting a lot of interest from venture capitalists. So why fintech and why now?1. The banks are interested (and scared)
The first and most obvious reason is that unlike other types of personal data, financial information has always been considered confidential. There are already mature standards, best practices and regulations in place to control the storage, processing and transfer of that data – PCI DSS for example.
Financial services firms are restricted in the way they can use convenient technology such as public cloud services, making this sector fertile ground for intermediaries who can provide alternatives.
There is also a fear factor. The word “disrupt” is horribly overused, but in this case it’s appropriate: banks and payment card companies fear disruption to their business model by developments like blockchain (e.g. Bitcoin) and peer-to-peer lending; they are too big and insufficiently agile to keep up. Hence they have a big interest in incubating start-ups that will help them retain a competitive edge. And despite all that has happened over the past few years, it is true today, just as it was in bank-robber Willie Sutton’s time, that banks are “where the money is”.
It is also true that banks’ brand equity has taken quite a beating. It is not only the many financial scandals that has tarnished their image, but the security and trustworthiness of online banking has come into question too. So, if banks can reduce fraud, increase security and improve the user experience at the same time then they are onto a winner. Privacy by Design (PbD) is very much a part of this “trust model”, allowing innovation while at the same time keeping on top of changing regulations around personal data – particularly in Europe.
2. Money’s going mobile
Mobile payments (e-wallets, NFC, banking apps) have taken a while to take off due to squabbles over standards and because when it comes to money, old habits die hard. For most people, a wallet with cards and cash is still the preferred option. This is something banks, merchants and a bevy of start-ups are keen to change, but the combination of small screens, fat-fingered users and vulnerability to theft and hacking brings issues of trust and usability to the fore.
Despite the shaky start, almost everyone believes that a much higher proportion of transactions will be carried out using mobile devices in the future. Start-ups like digital payment firm Zapp have an advantage in this fast-changing world. They are able to work with a blank sheet of paper rather than having to retrofit concepts like privacy, simplicity and transparency into existing products.
“When I came here from Paypal three years ago the mandate I was giving was ‘here’s a mobile phone, here’s faster payments, now go and work out the best way to go to market’,” says Liam Spence (pictured), head of innovation at Zapp.
With a face-to-face (“card present”) chip-and-PIN transaction you just type in a four-digit code and the bank does the rest. However, if you buy something online from a retailer that doesn’t have your details (“card not present”), even if it’s a digital product, you typically have to enter your credit card information plus name, address, phone number and all sorts of other information.
“Why do I need the hassle of giving away all my information to the merchant – inconvenience of that and the insecurity of that – so that the merchant can rip money out of my account?” Spence says. “It’s just stupid.”
Zapp seeks to replicate the simplicity of the card present transaction in the online world. Buyers have their basket of goods tokenised by Zapp, which then pushes that information to the buyer’s bank account via his or her banking app. Since the bank handles the transaction there is no need for the merchant to hold or process personal data. The merchant only sees the data necessary for the transaction to take place. Under some schemes they may only see it after the transaction has taken place.
The advantage to the purchaser is simplicity and control of their personal data. For the banks it enables them to play a part as a trusted guardian of private information, to have their brand present at the time of the transaction (rather than, say, Visa, Mastercard or Paypal) and also to reduce fraud associated with stolen cards. “Six of the biggest banking brands in the UK” are currently trialling Zapp, according to Spence.
For merchants the merits are slightly less obvious. Quicker and easier transactions meaning more sales is the pitch, but an obvious potential downside is that without collecting personal data they lose the ability build customer profiles for marketing and also to flag up potential fraud.
“We’re working with merchants to understand their reaction to that,” says Spence, who says there are “widely differing perceptions” among retailers about what they can and can’t do with customers’ personal data.
3. It’s all about identity
Following on from the discussion of card-not-present transactions is the subject of identity. Allowing customers to identify themselves in a secure and foolproof manner without the burden of lengthy passwords is particularly important both for online payments and online banking, especially when using touchscreens.
“What we’re trying to crack is ‘how I can prove it’s me online?’. Whoever can do this will win,” says Spence.
A lot of the innovation in fintech is happening in this area. For example, there is myPINpad, a PIN-based authentication system designed to fit in with existing banking ATM protocols. Then there are companies working to fix the problems with demographics: unlike a PIN, if someone steals your fingerprint you can’t very well replace your fingers.
Start-up iProov has patented a system called Verifier that uses facial recognition technology to create a one-time demographic. A 3D image of the user’s face captured by a smartphone’s camera through the firm’s app takes movement and distance into account, meaning it can’t be fooled by a static photo or video. This image is compared with a version held in the cloud and used to grant or deny access. The company claims that so far no competitors have succeeded in cracking the system.
“Every time you use it it’s a unique capture,” says commercial director Matthew Pearch (pictured). “This means it doesn’t suffer from the usual problem with biometrics, which is that once compromised they can be used everywhere.”
With identity, the fewer places the information is replicated the less prone it is to identity theft. iProov doesn’t need to know who is in the picture, that information is held by the bank. Thus privacy is built into the design.
[Please turn to next page]